Simulate Traffic, Find Botnets

The Problem: A new financial services company found itself increasingly vulnerable to zero-day exploits and botnets, which put its high-valued assets and developing reputation at extreme risk.

The Details: Canaras Capital Management is an asset manager specializing in risk investments in markets for corporate credit. Founded in 2006, it has offices in New York and the United Kingdom and manages $630 million in assets.

When Canaras CIO Raffi Jamgotchian built the company’s information technology infrastructure last year, he installed several security products including an Astaro Security Gateway-a unified threat management appliance that includes a firewall, intrusion detection, spam filtering and antivirus-and a ConSentry switch that controls network access.

Jamgotchian worries still about unknown software vulnerabilities-flaws that could be discovered and exploited by a hacker. He figured his secure switch would pick up any massive worm attacks, but a slow, steady, stealth botnet attack might get through his defenses and plant malware that could propagate inside the network and steal information. Protecting Canaras’ intellectual property and reputation is paramount.

Jamgotchian has limited control over Canaras’ workforce. Six of the 12 employees are mobile, and they log in to Canaras’ network from all over the world. “Bringing those bugs back home is always a problem,” he says. He’s concerned about malware sneaking into the network through roaming machines.

The Solution: The Botwall 4200 appliance from FireEye. Prices for this model start at $21,000. The appliance plugs into a switch’s span port or a test access port and receives a copy of all traffic flowing through that device. It sets up a virtual attacker and a virtual victim, runs the traffic and looks for patterns-such as illegal connections to a botnet command and control center-and attacks, known or suspected.

Because it recreates traffic in a virtual environment, Botwall can follow any malware infection to completion, says Phil Lin, FireEye’s product marketing director. If, for example, the traffic creates a buffer overflow and causes the virtual victim to “phone home” to a botnet command and control center, Botwall can capture and store copies of malicious data packets on the spot.

“Malware is polymorphic, and there’s so much variation it’s impossible for signature-based products to keep up,” Lin says. If Botwall does find a problem, it triggers an alert and reports the offending machine’s IP address, name and operating system, as well as the exploited port and protocol. It can be administered through a dashboard. It also stores data packets for post-event analysis.

FireEye works with law enforcement, and offers customers the option of joining its Botwall Network, a fee-based service that collects information from FireEye customers and disseminates threat trends.

The Results: Jamgotchian installed Botwall trouble free in half a day and has been through one upgrade, which he says went smoothly. He says the appliance “sits quietly” on his network and doesn’t interfere with performance, which he appreciates. He has tested Botwall against known malware attacks, which it detected, and recently built his own botnet and let it loose inside a test network he’d created out of a separate hub and two virtual desktops. Botwall also detected this botnet.

Now he wants FireEye to work with his switch vendor to integrate the ConSentry Networks switch with FireEye. If Botwall were to notify the switch of an infected machine, Jamgotchian says, the switch could then automatically isolate traffic at the appropriate network port.